Reporting on Local Accounts Using PowerShell

Keep an eye on user accounts whether you're local or not.

By Boe Prox

04/15/2015

One of the things that PowerShell doesn't have is a way to view local accounts on local and remote systems. Fortunately for us, we have a couple of options at our disposal that can get around this to view what accounts are built on a system as well as various details about those accounts.

The two approaches that I will be covering to view local accounts are done using Windows Management Instrumentation (WMI) and Active Directory Services Interfaces (ADSI). Both approaches offer some differences in what can be viewed in regards to local accounts when used against a local or remote system.

WMI Approach
The first method that I will introduce you to is using WMI and the Win32_UserAccount class. When using this class, we need to make sure that we use a filter to only look at local accounts. Otherwise we will pull all of the accounts that are on the domain.

Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount='True'"

[Click on image for larger view.]Figure 1. List of local accounts using WMI.

From here, we can see a few things about the account such as the name and SID as well as the account type. But, I want to see a little bit more information about these accounts, so I will opt to select a few more properties to view.

Here we can see the same properties that were originally shown, but now we are able to look at whether the accounts have been disabled, locked out and what the password restrictions are. This is great and all, but it would be nice to see some other bits of information about the accounts such as any user flags and other password requirements that we cannot see using WMI. Fortunately, we can do this using ADSI as a means to query the local accounts.

ADSI Approach
Using ADSI is not just for querying Active Directory! We can use this to perform queries or changes against local and remote computers as well. We just have to adjust from using LDAP:// to WinNT:// instead and supply the computer name.

Of course, this isn't much to look at by itself, so we will use Select-Object with a wildcard to look at all of the available properties of an account to get a better idea of what is available to us.

$Users[0] | Select *

[Click on image for larger view.]Figure 5. All properties from account in ADSI.

We definitely have a lot more information available to us here than with WMI. You may have noticed there is no defined SID here, but a property called ObjectSid which has something that looks like it could be the SID that we are looking for. The ObjectSid is actually a byte array that needs to be converted to its string representation of a SID. We can do this in one line as shown below:

S-1-5-21-1315970109-1571106365-1434827950-500 is the SID that gets returned I run this command.

We aren't done yet with converting values to something more usable. Take note of the UserFlags property which shows a value of 8389121, which doesn't really mean a whole lot. We have to do use a bitwise operator, -BOR along with knowledge of what values we need to perform the bitwise operation with in order to determine the more human readable values that the userflags property represents. We can find a list of all of these values out on MSDN here. Rather than do this each time to find the data, I have a simple function that can do this for me.

[Click on image for larger view.]Figure 6. Results of using Get-LocalUser function.

With that, we can use this to report on accounts in our network and provide a report if needed. We could even use this and filter for passwords that have expired, accounts that haven't been used, etc. That's all for today! Hopefully this information helps out in providing a good means to look at your accounts on your systems.

About the Author

Boe Prox is a Microsoft MVP in Windows PowerShell and a Senior Windows System Administrator. He has worked in the IT field since 2003, and he supports a variety of different platforms. He is a contributing author in PowerShell Deep Dives with chapters about WSUS and TCP communication. He is a moderator on the Hey, Scripting Guy! forum, and he has been a judge for the Scripting Games. He has presented talks on the topics of WSUS and PowerShell as well as runspaces to PowerShell user groups. He is an Honorary Scripting Guy, and he has submitted a number of posts as a to Microsoft's Hey, Scripting Guy! He also has a number of open source projects available on Codeplex and GitHub. His personal blog is at http://learn-powershell.net.